CB Response: Alert delays to SIEM
search cancel

CB Response: Alert delays to SIEM

book

Article ID: 290477

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Commands run on an endpoint do not appear in the SIEM for 20 minutes or more

Environment

  • CB Response Server: 6.2 and Higher

Cause

The watchlist_search job is taking over 10 minutes to iterate through reports. This causes the next watchlist search to be delayed by at least 10 minutes. 

Resolution

  • This behavior is expected if too many watchlists are enabled or are inefficient. 
  • Audit current threat reports and watchlists and disable any that are not necessary to reduce search time
  • Improve any watchlists timing out regularly

Additional Information

  • There will always be a slight delay in events occurring on an endpoint and being ingested onto the server
  • /var/log/cb/job-runner/job-runner.log will show when a watchlist completes and what watchlists may have failed to complete
    • finished watchlist_search will show the run time of the watchlist_search. If the search finishes in under a second, there is still a job running
    • <err> [watchlist_search] will show any errors related to the watchlist_search job and potentially failing watchlists